Created attachment 674493 [details] testcase The child process crashes touching an address that's obviously attacker-controllable.
Created attachment 674496 [details] stack No particular reason this needs ASan. I think it just happens to be my only setup where I detect child-process crashes, and where the Test Plugin runs.
We don't ship the testplugin, I'm not sure why this needs to be s-s. There are probably lots of ways to abuse the testplugin testing methods, and I'm not sure it's worth fixing them.
Jesse is the plugin exercising a problem on our end?
(In reply to Benjamin Smedberg [:bsmedberg] from comment #2) > There are probably lots of ways to abuse the testplugin testing methods, and > I'm not sure it's worth fixing them. The DOM fuzzer will have an easier time finding bugs in Gecko's plug-in code if the Test Plugin exposes a large and robust set of APIs. I'll just make it avoid calling throwExceptionNextInvoke for now.
ok, opening this up. Fixing this case shouldn't be hard, although the testplugin was not written in a hardened way and skips a bunch of error checking in general.
Priority: -- → P2
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year).
Status: NEW → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.